feat(ttp): E.3.9 BehavioralLifter (R0031-R0040)
Reads pre-shaped session aggregates from TaggerEvent.payload and emits techniques per Appendix A behavior tables. Per-rule predicates dispatch on match.kind (lifter:behavioral_<name>); the lifter holds its own RuleIndex watching the same RuleStore as the engine, so disable / clip / TTL state reaches lifter-bound rules through the same atomic-swap path. R0032/R0036/R0037/R0040 YAMLs had over-escaped regex strings (\\ instead of \\) — fixed in place. Factory wired so default get_tagger() returns CompositeTagger with BehavioralLifter shipped; remaining three lifters (E.3.10-E.3.12) land in subsequent commits. E.2.6 contract preserved via TolerantTagger: empty payload steady-state yields [] with zero ERROR records. Disabled / clipped / expired state verified.
This commit is contained in:
@@ -20,6 +20,13 @@ from decnet.ttp.impl.credential_lifter import CredentialLifter
|
||||
from decnet.ttp.impl.email_lifter import EmailLifter
|
||||
from decnet.ttp.impl.identity_lifter import IdentityLifter
|
||||
from decnet.ttp.impl.intel_lifter import IntelLifter
|
||||
from tests.ttp._stub_store import StubRuleStore
|
||||
|
||||
|
||||
def _instantiate(cls: type[TolerantTagger]) -> TolerantTagger:
|
||||
if cls is BehavioralLifter:
|
||||
return cls(StubRuleStore()) # type: ignore[call-arg]
|
||||
return cls()
|
||||
|
||||
ALL_LIFTERS = [
|
||||
BehavioralLifter,
|
||||
@@ -65,7 +72,7 @@ def test_lifter_names_are_unique_and_non_empty():
|
||||
|
||||
@pytest.mark.parametrize("cls", ALL_LIFTERS)
|
||||
def test_lifter_tag_returns_empty_list_for_handled_event(cls):
|
||||
lifter = cls()
|
||||
lifter = _instantiate(cls)
|
||||
kind = next(iter(cls.HANDLES))
|
||||
out = asyncio.run(lifter.tag(_ev(kind)))
|
||||
assert out == []
|
||||
@@ -74,7 +81,7 @@ def test_lifter_tag_returns_empty_list_for_handled_event(cls):
|
||||
@pytest.mark.parametrize("cls", ALL_LIFTERS)
|
||||
def test_lifter_instantiable(cls):
|
||||
# No abstract methods left — concrete subclass must be constructible.
|
||||
cls()
|
||||
_instantiate(cls)
|
||||
|
||||
|
||||
# ── E.2.6 deferred absence-tolerance behavior ──────────────────────
|
||||
@@ -85,6 +92,10 @@ def test_e26_intel_lifter_partial_provider_nulls():
|
||||
raise AssertionError("not yet implemented")
|
||||
|
||||
|
||||
@pytest.mark.xfail(strict=True, reason="impl phase E.3 — BehavioralLifter empty join")
|
||||
def test_e26_behavioral_lifter_no_attacker_behavior_row():
|
||||
raise AssertionError("not yet implemented")
|
||||
"""E.3.9: a session event with no AttackerBehavior fields populated
|
||||
must produce zero tags and zero errors. Was xfail-strict before
|
||||
BehavioralLifter shipped; now a real assertion."""
|
||||
lifter = BehavioralLifter(StubRuleStore())
|
||||
out = asyncio.run(lifter.tag(_ev("session")))
|
||||
assert out == []
|
||||
|
||||
Reference in New Issue
Block a user